fix: Modify terraform example variables (#9)

Co-authored-by: Alessio Buraggina <aburaggina@google.com>
GoogleCloudPlatform · Apr 29, 2024 · 5e45133 · 5e45133
1 parent f8435f4
commit 5e45133
Show file tree

Hide file tree

Showing 9 changed files with 25 additions and 41 deletions.
diff --git a/ekm-over-vpc-onboarding/README.md b/ekm-over-vpc-onboarding/README.md
@@ -16,8 +16,9 @@ This guide provides instructions of an automation for Cloud External Key Manager
 - (Optional) An existing [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project) to create all the KMS related resources;
 
 **Note:** VPC and KMS projects are optional because this terraform automation can auto-create them for you. All you need to do is to set `create_kms_project` and `create_vpc_project` to `true` in your `terraform.tfvars` file.
+- If you would like terraform to create kms and vpc projects, please provide account user (the one you used for `gcloud auth login`) with  "roles/resourcemanager.projectCreator" iam role.
 
-**Note 2:** Your EKM provider should be placed/referenced in your VPC project. A Private IP address of the EKM or an IP address for the load balancer pointing to the EKM is required in your `terraform.tfvars` file.
+**Note 2:** Your EKM provider should be placed/referenced in your VPC project. A Private IP address of the EKM or an IP address for the load balancer pointing to the EKM is required in your `terraform.tfvars` file. You will need to edit `modules/create_ekm_resources/network.tf` file for any forwarding-rule resources you would like to add
 
 ## Deploy infrastructure
 
@@ -79,3 +80,7 @@ This guide provides instructions of an automation for Cloud External Key Manager
 | vpc\_project\_id | ID of the VPC project |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+**Note 3:** You will need to manually set crypto-key-version to `primary version` by either using Google console or [Google CLI command](https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-primary-version).
+
+Congrats! You have successfully created all your required resources to use EKM over VPC
diff --git a/ekm-over-vpc-onboarding/main.tf b/ekm-over-vpc-onboarding/main.tf
@@ -17,17 +17,16 @@
 module "create_vpc_kms_project" {
   source = "./modules/create_vpc_kms_project"
 
-  organization_id              = var.organization_id
-  folder_id                    = var.folder_id
-  kms_project_name             = var.kms_project_name
-  kms_project_id               = var.kms_project_id
-  vpc_project_name             = var.vpc_project_name
-  vpc_project_id               = var.vpc_project_id
-  billing_account              = var.billing_account
-  project_creator_member_email = var.project_creator_member_email
-  create_kms_project           = var.create_kms_project
-  create_vpc_project           = var.create_vpc_project
-  random_project_suffix        = var.random_project_suffix
+  organization_id       = var.organization_id
+  folder_id             = var.folder_id
+  kms_project_name      = var.kms_project_name
+  kms_project_id        = var.kms_project_id
+  vpc_project_name      = var.vpc_project_name
+  vpc_project_id        = var.vpc_project_id
+  billing_account       = var.billing_account
+  create_kms_project    = var.create_kms_project
+  create_vpc_project    = var.create_vpc_project
+  random_project_suffix = var.random_project_suffix
 }
 
 module "ekm_resources" {

diff --git a/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/README.md b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/README.md
@@ -16,7 +16,6 @@ This module provides the project infrastructure setup (creation and/or API servi
 | kms\_project\_id | ID of the KMS project you would like to create | `string` | `""` | no |
 | kms\_project\_name | Name of the KMS project you would like to create | `string` | n/a | yes |
 | organization\_id | The ID of the existing GCP organization | `string` | n/a | yes |
-| project\_creator\_member\_email | Email of the user that will be granted permissions to create resources under the projects | `string` | `""` | no |
 | random\_project\_suffix | If true, a suffix of 4 random characters will be appended to project names. Only applies when create project flag is true. | `bool` | `false` | no |
 | vpc\_project\_id | ID of the VPC project, default to same as KMS | `string` | `""` | no |
 | vpc\_project\_name | Name of the VPC project, default to same as KMS | `string` | `""` | no |

diff --git a/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/main.tf b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/main.tf
@@ -32,17 +32,6 @@ locals {
 
 }
 
-# User Credentials (Default: Current logged in user)
-data "google_client_openid_userinfo" "provider_identity" {
-}
-
-# Add permission to create projects
-resource "google_organization_iam_member" "project_create_iam_member" {
-  org_id = var.organization_id
-  role   = "roles/resourcemanager.projectCreator"
-  member = format("user:%s", var.project_creator_member_email == "" ? data.google_client_openid_userinfo.provider_identity.email : var.project_creator_member_email)
-}
-
 # Create KMS and VPC projects if specified
 module "kms_project" {
   count = var.create_kms_project ? 1 : 0

diff --git a/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/variables.tf b/ekm-over-vpc-onboarding/modules/create_vpc_kms_project/variables.tf
@@ -51,13 +51,6 @@ variable "billing_account" {
   description = "Billing Account for the customer"
 }
 
-variable "project_creator_member_email" {
-  type        = string
-  default     = ""
-  nullable    = true
-  description = "Email of the user that will be granted permissions to create resources under the projects"
-}
-
 variable "folder_id" {
   type        = string
   default     = ""

diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/main.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/main.tf
@@ -73,6 +73,7 @@ resource "google_kms_crypto_key" "vpc_key" {
   }
   skip_initial_version_creation = true
   crypto_key_backend            = google_kms_ekm_connection.ekm_main_resource.id
+  depends_on                    = [google_service_directory_service.sd_service]
 }
 resource "google_kms_crypto_key_version" "vpc_crypto_key_version" {
   crypto_key = google_kms_crypto_key.vpc_key.id

diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/network.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/network.tf
@@ -25,9 +25,10 @@ module "vpc-network" {
 
   subnets = [
     {
-      subnet_name   = "${var.network_name}-subnet"
-      subnet_region = var.location
-      subnet_ip     = var.subnet_ip_cidr_range
+      subnet_name           = "${var.network_name}-subnet"
+      subnet_region         = var.location
+      subnet_ip             = var.subnet_ip_cidr_range
+      subnet_private_access = true
     }
   ]
 }

diff --git a/ekm-over-vpc-onboarding/modules/ekm_resources_creation/service_directory.tf b/ekm-over-vpc-onboarding/modules/ekm_resources_creation/service_directory.tf
@@ -25,10 +25,6 @@ resource "google_service_directory_service" "sd_service" {
   provider   = google-beta
   service_id = "${var.servicedirectory_name}-service"
   namespace  = google_service_directory_namespace.sd_namespace.id
-
-  metadata = {
-    region = var.location
-  }
 }
 
 resource "google_service_directory_endpoint" "sd_endpoint" {

diff --git a/ekm-over-vpc-onboarding/terraform.example.tfvars b/ekm-over-vpc-onboarding/terraform.example.tfvars
@@ -16,8 +16,9 @@
 
 organization_id              = "REPLACE-WITH-YOUR-ORG-ID"
 billing_account              = "REPLACE-WITH-YOUR-BILLING-ACCOUNT"
-project_creator_member_email = "" # Set if you want to grant the permissions to a different user than it is authenticated
-folder_id                    = "" # Set if you want to create the projects in a specific GCP folder (Applies only when create flag is true)
+project_creator_member_email = ""            # Set if you want to grant the permissions to a different user than it is authenticated
+folder_id                    = ""            # Set if you want to create the projects in a specific GCP folder (Applies only when create flag is true)
+location                     = "us-central1" # Set if you want to create resources in a specific location
 
 create_kms_project = false # Set to true if you want to auto-create the KMS project
 create_vpc_project = false # Set to true if you want to auto-create the VPC project
@@ -32,4 +33,4 @@ vpc_project_name = "sample-vpc-project-name" # (Applies only when create flag is
 external_provider_hostname = "REPLACE-WITH-YOUR-EKM-HOSTNAME"
 external_provider_raw_der  = "REPLACE-WITH-YOUR-RAW-DER"  # The raw certificate bytes in DER format. A base64-encoded string. For more info see: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.ekmConnections#Certificate
 external_key_manager_ip    = "REPLACE-WITH-YOUR-EKM-IP"   # Set with a Private IP address of the EKM or an IP address for the load balancer pointing to the EKM
-ekm_connection_key_path    = "REPLACE-WITH-YOUR-KEY-PATH" # Set with Cloud EKM key version.
+ekm_connection_key_path    = "REPLACE-WITH-YOUR-KEY-PATH" # Set with Cloud EKM key version.